pgen password generator

See down for instructions, notes and suchlike.

pgen

Hash:
Testcase: -- this helps you check the secret key is correct
Schema: -- this transforms the secret key, $S, and input $I to hash
Secret: -- choose a secret phrase, memorise it, and tell nobody
Input: -- enter the name of the password, e.g. 'mywebsite' or 'paypal'
Length: -- number of characters to produce
Punctuation: -- replace @ and # with X for sites that don't like punctuation

Test output:

Pgen output:

Instructions

Set the schema (or stick with the default). Set the secret key (this is not displayed, but be aware that if someone has physical access they can recover the value using the Javascript console, so always close this tab/window when done. Pick the hash you want. To check you have the secret key typed correctly, use a test case. That is, a string, such as 'MrFlibble', or 'HexVision' that you won't use elsewhere, and memorise the first 3-4 characters of the output. For example, with SHA-256 and schema($I,$S), and secret key 'hex', the first three characters produced are '@7z'. It is quite practical to use the empty string as the test case. Also, ensure you have set the correct length.

Once everything is set, enter input strings into the Input box, and press Return. For example, for amazon, you can enter 'amazon', and for facebook, you can enter 'facebook'. If the schema or secret key is changed even slightly, or a different hash is chosen, the output will be vastly different. Thus provided you keep the secret key secret, and remember hash and schema settings, you can then use the output strings as passwords. Usefully, this method requires essentially no storage, and can be reproduced on a standard Linux command line (or the Apple Mac OSX command line, provided you have the hash, cut and xxd commands available). Joyfully, there are no subscription fees, no encrypted database to worry about, and you can even see how it works. -- John Chalisque

If you would like a local copy, download this file, and md5.min.js and sha.js. The sha.js file comes from jsSHA 2.0.1 (from here), and the md5.min.js file comes from JavaScript-MD5 (from here).

Notes

Important: in the schema, $S expands to the secret, and $I to the input.
Do NOT have the string $I occur in your secret. You can have $S occur in the input, and it will NOT expand to the secret. But if you put $I in the secret, the input will get substituted. Feel free to hack the Javascript if you want things
to work differently.

My first sketch pgen used md5sum on the Linux command line, and used 'echo' rather than 'echo -n' before piping into md5sum. Thus there was
a '\n' quietly appended, which of course changes the output of the hash. MD5n emulates this behaviour, whilst MD5 does not. Note that the two MD5
pgen's take the hex representation of the md5, with lowercase a-f, and put that through base64 conversion.

The sha versions are improved relative to that. They generate the base64 from the binary form of the output of the hash, since the sha.js
used makes that easy. Thus whereas the md5sum versions really only generate 16 character passwords based on 12 hex digits, hence 6 bytes,
or 2^48 possibilities. There is, however, little point fixing this since if we want stronger, we can use the sha generators, which generate
12 bytes worth of information in the 16 character password, or 2^96 possibilities.

The punctuation selector, when deselected, replaces all characters other than A-Z, a-z, 0-9, with X's.

The standard javascript btoa() function is used for base64, and then + is replaced by @, and / by #.

Source code

Finally, for those on Linux, Mac, anything *NIX, or Windows with cygwin and the hashing programs, xxd, cut and base64 installed, the following is a script for the command line which produces the same passwords as this page.